Microsoft admits to Wi-Fi security hole

NEWS

Microsoft has admitted that there is a security flaw in the way Windows handles wireless connections, but the company has said it may not fix the problem until its next Service Pack is released.

The flaw, within a Windows feature that automatically searches for a Wi-Fi network to connect to, was made public last Saturday by security researcher Mark Loveless at hacker conference ShmooCon. It can be used by a hacker to gain access to files on a victim's laptop, Loveless claimed.

Microsoft told ZDNet UK that it had finished investigating this claim, and had found that there is scope for users to be compromised. However, it does not plan to rush out a fix.

"Due to the design of this feature, the most appropriate method for adjusting the default behaviour is in a future Service Pack or update rollup," Microsoft said in a statement.

On Tuesday, Microsoft revealed that it was not planning to release the next Service Pack for XP, called XP SP3, until the second half of 2007.

Loveless told ShmooCon that when a PC running Windows XP or Windows 2000 boots up it will automatically try to connect to a wireless network. If the computer can't set up a wireless connection, it will establish an ad hoc connection to a local address. This is assigned with an IP address and Windows associates this address with the SSID of the last wireless network the PC connected to.

The machine will then broadcast this SSID, looking to connect with other computers in the immediate area. The danger arises if an attacker listens for computers that are broadcasting in this way, and creates a network connection of their own with that same SSID. This would allow the two machines to associate together, potentially giving the attacker access to files on the victim's PC.

Security experts said on Monday that users would be unlikely to be at risk if they had installed Service Pack 2 and enabled a local firewall.

Microsoft recommended on Wednesday that customers enable a firewall, get software updates, and install antivirus software. Customers who believe they may have been affected can contact Microsoft Product Support Services via its Web site.

Post your comment

In order to post a comment you need to be registered and logged in

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

ZDNet UK Live

"No doubt some of these problems could have been solved if a Linux expert had been there to give them a hand, but there are not many around." It's...

2 minutes ago by apexwm on While PC shipments will grow to a million per day, netbooks are in decline

@apexwm >> "They can save maybe up to 1% of their IT costs" > I'd like to know how you propose this number? MS Office costs hundreds > per copy,...

4 minutes ago by Jack Schofield on Late starters to Windows 7 migration may find it more costly, says Gartner

@apexwm > I would be curious to know what exactly they mean by "mini-notebooks are > less-than-perfect substitutes for standard low-end laptops"....

29 minutes ago by Jack Schofield on While PC shipments will grow to a million per day, netbooks are in decline

Digital Britain author attacks the government for delaying the 2Mbps universal service commitment http://bit.ly/ciAS2s

32 minutes ago on Twitter by superglaze

Researchers at Norwegian and German institutes claim to have successfully cracked quantum cryptography equipment http://bit.ly/bfQQRt

3 hours ago on Twitter by LarsTS

Quantum crypto detectors cracked by researchers http://tinyurl.com/32orrr8 @schneierblog - your thoughts?

3 hours ago on Twitter by benrothke

Suse Linux Enterprise Server for VMware ships: By Jack Clark, ZDNet UK, 2 September, 2010 17:11 VMware and Novell ... http://bit.ly/bL9BMy

4 hours ago on Twitter by dominic_victor

RT @ZDNetUK_News: Dell abandons battle to buy 3Par: HP has won the short, sharp race to add the data storage management company to i... http://bit.ly/aLg1tA

4 hours ago on Twitter by Bhackett10

Suse Linux Enterprise Server for VMware ships: Businesses that buy vSphere licences will get SLES free of charge, ... http://bit.ly/adlav5

4 hours ago on Twitter by ZDNetUK_News

Dell abandons battle to buy 3Par http://bit.ly/920Spv

4 hours ago on Twitter by superglaze

RT @ZDNetUK_News: iOS 4.2 available for iPad in November: The operating system update will allow wireless printing and audio and vid... http://bit.ly/azstPx

5 hours ago on Twitter by qbspchelp

@gruber @daringfireball It's here, but will it get used? Universal wireless charger standard gets public release http://bit.ly/doJO2u

5 hours ago on Twitter by superglaze

Universal wireless charger standard gets public release http://bit.ly/cCdlZv

5 hours ago on Twitter by ZDNetUK_News

#IPv6 repost RT @pixeladdikt: RT @RIPE_NCC: ~"IPv6 news: using #IPv6 to connect everything http://bit.ly/dtJvh3 " ... http://bit.ly/aRkCNT

6 hours ago on Twitter by IP_v6

Windows Phone 7 released to manufacturers http://bit.ly/addml7

6 hours ago on Twitter by paulallen77

Windows Phone 7 released to manufacturers http://bit.ly/b9oigT

6 hours ago on Twitter by ImGoneBuzzirk

RT @pixeladdikt: RT @RIPE_NCC: ~"IPv6 news: using #IPv6 to connect everything http://bit.ly/dtJvh3 " +ArchRock :)

6 hours ago on Twitter by trejrco

Carter attacks coalition over 2Mbps delay http://bit.ly/aPTmax | #Droid #Android

6 hours ago on Twitter by Droid_Phone

Windows Phone 7 released to manufacturers http://bit.ly/9rL0sc | #Droid #Android

6 hours ago on Twitter by Droid_Phone

Tony - on the 28th, Hotmail EAS on iPhone didn't work because it wasn't publicly available then. Ignore the email, which was part of the internal...

6 hours ago by First Take on Hotmail Exchange ActiveSync

Featured white papers

The benefits of email archiving

Bloor Research

Email archiving lowers the risk of being unable to find important documents and help in achieving regulatory compliance and answering litigation requests.

Download now